How an eye-opening conversation with a medical device cybersecurity expert inspired us to start a podcast for product security teams
Cybersecurity pros are in the midst of an ongoing struggle. You need to constantly be on the watch for new threats, every single day. You need to find and recruit some of the most hard-to-come-by talent in existence, with limited resources. And even if you do your job exceptionally well, it only takes one miss to become the entire company’s scapegoat.
When it comes to product and device security, the stakes are extremely high, making that job even more challenging. It’s one thing to protect customers’ sensitive data, or a server infrastructure of a social media service, but it’s a whole other thing to prevent hackers from taking control of a car while its driver is on the highway, or a Bluetooth connected heart valve while it’s inside someone else’s body.
Connected devices have become an integral part of our lives. From the cars we use to commute, to the MRIs we rely on for diagnosis to the energy lines that keep the lights on at night – connected devices now power most of the world we live in. Which makes the job of the product security team all the more important.
“An Android vulnerability wouldn’t kill anyone. In our industry, it’s different”
As part of Cybellum, we deal with that reality every day. Our team has built the most comprehensive product security platform, which means we encounter life-threatening vulnerabilities on a daily basis as part of our security research and R&D efforts.
But it wasn’t until we spoke with Felipe Fernandes, Cyber Security Manager at Jaguar Land Rover, that this point really hit home with us. As Felipe said, “If you think about a tech company like Google – Android can carry thousands of vulnerabilities. Sometimes it can have big problems to expose some user data or something like that but you are not going to kill someone because of one vulnerability”.
He further explained – “Our environment is a little different. We are developing products that are going to be on the streets, at a speed that is not so low. So you can kill our customer. You can kill people that are on the street. The mindset is different”.
A grim perspective? Perhaps. But a true and crucial one nonetheless. Product security is a critical component of everyone’s lives, and the more people realize that, the better it will be for all of us.
The hard truth: security teams have made great progress, but the gaps are still unimaginable
The conversation with Felipe was a wake up call, no doubt – but nothing prepared us for what came next. After that call, we got in contact with another product security professional. This time, it was a world renowned security expert from the medical device industry, who worked with dozens of medical device manufacturers. His name is Chris Gates, and he is one of the people who literally wrote the book on medical device cybersecurity.
When asked what the most striking moment he had in the cybersecurity world was, this is what he told us:
“The first time I came across a medical device that had such critical vulnerabilities that it could result in a mass casualty event – this made a huge impact on me because of just how dangerous this can be.”
He continued – “Don’t worry. This thing is no longer in use, I managed to make changes to it, to shrink down the risk tremendously, and the overall product is now off the market. But that doesn’t mean there aren’t others.
We may think in terms of small scale attacks, a hospital or something, but we don’t think about taking an entire city and killing everybody with that medical device.”
We were left speechless. Here’s a world renowned medical device security expert, who knows most medical device manufacturers inside and out, telling us there are quite a few devices out there with serious, life threatening security vulnerabilities that have unbelievable repercussions.
And we couldn’t help but think of the impact this could have on everyone around us.
The only question left was: what can we do about it?
As marketers, our most valuable currency is and always has been awareness. Unlike product security teams or security researchers who are dedicating their lives to finding and mitigating security threats, all we can do at the end of the day, is to educate and raise awareness to the problem.
We had a lot of ideas on how to do exactly that — from starting a streaming show about product security, to launching a contest for finding cyber security threats. But eventually, we came to two very important realizations:
1. Product security pros around the world may be few in numbers, but each and every one of them is an expert, with invaluable knowledge to share.
2. Currently there are very few dedicated communities for product security people, where they can learn from one another and exchange that knowledge. There is no “product security school”, and the only way to learn is by listening to peers.
And then it hit us – why not start a podcast?
While a first for both my co-host, David Leichner and me, we realized that starting a podcast would be a great way for us to contribute to the community – by simply giving product security teams the stage they deserve to share their knowledge, so that everyone can learn and improve. So off we went to build it.
Left to Our Own Devices: a new product security podcast is born
That’s how Left to Our Own Devices came to be. Since starting the journey, we have already had some incredible conversations with the biggest industry leaders out there. From the 19yo hacker who broke into dozens of Teslas, to SBOM policy makers, medical device security thought leaders and automotive security practitioners, the amount of people we talked to and the things we learned were fascinating.
And this is just the beginning. We have already booked some incredible names going forward, and are now more confident than ever that product security teams have a new place to learn. All we can hope for is that it will move the needle towards creating a professional community and raising awareness, if only just a tiny bit.
Left to Our Own Devices is available now on Apple Music, Spotify, or wherever you get your podcasts: https://cybellum.com/podcasts/
If you’d like to be a guest on the show, or have any questions, feel free to contact us at firstname.lastname@example.org